Vishing Joins Phishing as Security Threat

Just as Internet surfers have gotten wise to the fine art of phishing, along comes a new scam utilizing a new technology.

Creative thieves are now switching their efforts to "vishing," which uses Voice over Internet Protocol (VoIP) phones instead of a misdirected Web link to steal user information.

Phishing is the sneaky art of sending an e-mail to people pretending to be from a bank or major online merchant, such as Amazon or EBay , asking them to click on a link and verify their account information.

The user is then directed to a fake site that collects the login and password information.

Repeated efforts on the part of security firms have educated users to be cautious about clicking on links from unknown senders.

But now, the criminal element has shifted from asking people to click on links to placing a phone call instead. Only the number isn't to a bank or credit card, it's to a VoIP phone that can recognize telephone keystrokes.

The thieves don't even use an e-mail blast, they use a war dial over a VoIP system to blanket an area. A recorded message tells the person receiving the call that their credit card has been breached and to "call the following (regional) phone number immediately."

When the user calls the number, another message is played stating "this is account verification please enter your 16 digit account number." The rest is academic.

Secure Computing, which specializes in secure connections over networks, sent up the red flag over this new method. Secure Computing engineers have been tracking news group sites and open disclosure discussion groups discussing vishing.

"This is just a natural evolution of phishing itself," said Paul Henry, vice president of strategic accounts for Secure Computing.

"Simply put, people are becoming more aware of the fact that an e-mail containing a URL could be malicious in nature. So hackers are moving away from the URL and using something victims are more familiar with like calling a number."

Henry said Secure Computing raised the issue over a year ago, but the first recorded incident took place last month, involving a Santa Barbara bank, then a second incident in early July involving Paypal.

Henry said there is no real preventative technology solution. Caller ID spoofing is very simple, and VoIP providers like Skype allow customers to pick not only their area code but the prefix as well, so it's possible to pick a phone number in the same area code and prefix of a major bank.

To that end, Henry thinks the VoIP companies could help with the issue by being a little stricter in their signup process, but doesn't think they will.

"These VoIP companies are in the business of producing value for their shareholders, so they are trying to drive down transaction costs. They want establishment of a new account to be as fast and painless as possible," Henry said.

At this point, common sense is your best defense, said Henry. "If you receive an e-mail that would direct you to a telephone number, don't use that number. Contact your credit card provider or whoever with a known number that's good."

Daniel Hong, senior voice business analyst for Datamonitor, concurred that users need to be educated all over again.

"There's definitely vulnerability, because this is a completely new approach, especially in terms of customer behavior and customer psyche," Hong said.

There's been a lot of education on Internet scams, but there hasn't been a lot of awareness concerning the phone. So if there's an automated phone prompting you, it seems more credible than getting an e-mail blast from hackers out there."

More stringent measures for VoIP account activation could help, but in the end, education might be the best solution. "If the hacker is able to get to the consumer," said Hong, "then education will make the difference."